Data suggests Flame was created by an advanced, nation-sponsored group with cash.

The client applications and related communications protocols supported by the Newsforyou control server used to coordinate Flame attacks. Kaspersky researchers found that at least one of the clients, SP, is still actively infecting computers.

The operators behind Flame, the highly advanced espionage malware that targeted Iran, began their campaign no later than 2006 and supported three other pieces of malicious software, one of which is still circulating on the Internet, researchers said.

The revelations are the result of a forensic investigation of control servers used to help execute the Flame operation. They show the state-sponsored campaign was even more far-reaching than previously believed. The servers were disguised as publishing platforms running a fictitious content management application called Newsforyou and were programmed to destroy hard-drive data to prevent the espionage from ever coming to light. They also used strong cryptography to prevent lower-level operators from controlling infected computers or viewing the contents of data that was extracted from them.

A series of administrative errors left some of the data intact, allowing researchers to extract new evidence that further underscores the sophistication and magnitude of the operation. Key among the undeleted data is the names or code names of four of the people who developed code for the platforms, some as early as 2006. Previous research pegged the start date no later than 2008.

Separately, the recovered data showed that a single server, which was set up on March 25, managed to siphon almost six gigabytes worth of data from its targets in just eight days. Combined with evidence suggesting it was only one of many almost identical servers run by the same group, researchers say they believe the number of Flame victims alone likely exceeded 10,000. The total amount of data they lost is almost incomprehensible.

"That's pretty staggering," said Vikram Thakur, a researcher with Symantec Security Response, referring to the 5.5 gigabytes of data collected by one of two servers he analyzed. "If the attackers actually continued their operations in a similar manner or with high frequency over the past five years they probably have terabytes of information collected from pretty much whoever they chose. That's a lot of information that they could make use of. That would be every target's life history a few times over." The Symantec report he helped prepare is here.

The joint investigation by researchers from Symantec and competing antivirus provider Kaspersky Lab analyzed disk images of two or more command and control servers, at least one of which was owned by an unidentified European company with data centers located in another European Union country. Compared with most control panels used to manage large armies of infected computers, the Newsforyou interface was so sparse that it appeared to be in an early, "alpha" stage of development. But it turned out the absence of overt features for infecting or conducting other botnet-related activities was an attempt to conceal its activities.

"The C&C developers didn't use professional terms such as bot, botnet, infection, malware-command, or anything related in their control panel," a report published on Monday by Kaspersky Lab explained. "Instead they used common words like data, upload, download, client, news, blog, ads, backup etc. We believe this was deliberately done to deceive hosting-company sys-admins who might run unexpected checks."

Kaspersky researchers' reached that assessment after they dissected logs that showed how the back-end server software securely communicated with Flame-infected computers. It used a custom-developed communications scheme dubbed Oldprotocol to upload and download data in an encrypted format that could only be decrypted by people with keys not stored on the server. This allowed the Flame operators to establish a highly regimented distinction of roles within the organization. Administrators could set up and maintain servers, but they had no control over what updates were pushed to infected clients or access to the sensitive data that was collected from them.

As a result, attack operators could download stolen data in encrypted form, but only offline attack coordinators with encryption keys had the ability to decrypt and analyze the data.

The OldProtocol scheme used for Flame, it turns out, is only one of four communications protocols supported with the Newsforyou software, researchers from both AV companies said. Separate protocols dubbed OldProtocolE, SignupProtocol, and RedProtocol were designed to interact with substantially different pieces of malware that have yet to be identified. Significantly, so-called "sinkhole" servers deployed by Kaspersky to intercept connections from Flame-infected computers have received connections from machines compromised by a completely different malware they've dubbed "SPE" that works with the OldProtocolE scheme.

Enlarge/ A development timeline of the Newsforyou software that formed the guts of the Flame command and control server. It shows the operation was active in 2006, about two years earlier than previously established.

Kaspersky Lab

"Therefore, we can confirm the malware known as 'SPE' exists and is currently in-the-wild," Kaspersky researchers wrote. They also found that the RedProtocol had not yet implemented, an indication that the capabilities of the back-end system were continuing to evolve as recently as May, when one of the control servers was deployed. Little is known about the remaining SignupProtocol, other than it appeared to work with a little-known client dubbed IP.

Botched Suicide Mission

One of the two servers analyzed by Symantec was deployed on May 14, two weeks before the discovery of Flame became public. Unlike the command channel from March, it hosted a new Flame module dubbed "SHREDER" that, as previously reported, instructed Flame-infected computers to remove all traces of the malware. Thakur, the Symantec researcher, told Ars he believes the server was deployed after Flame actors were racing the clock shortly after learning their operation had become public. In their hurry, Thakur believes they made crucial mistakes that left key evidence leading to these latest discoveries.

"On the server which was operating in May, we know that the operators and people behind that server were in a big rush, such a big rush that they didn't set up the server properly," he explained. "It just goes to show that these people were totally human and prone to errors."

Other control servers also appear to have made critical mistakes. The Newsforyou application executed a script every two minutes that moved any newly collected data to an encrypted archive folder, where it could be accessed by senior members of the operation. It also regularly called a python-based script that was supposed to permanently remove all temporary files on the server to prevent any forensic examiners from extracting clues about these activities. But because of a typo, the Eraser.py file never executed. The folder name included in a script that called the file pointed to a directory called "pycleaner," while the file's location was in a directory called "pycleanscr." The operators made other critical mistakes, such as failing to destroy a bash history file that showed Unix-based commands the administrators issued.

As a result, the server set up in March contained clues showing the almost six gigabytes worth of data it had downloaded from Flame-infected computers. What's more, it showed those victims used 5,377 unique IP addresses—3,702 of which were located in Iran, 1,280 in Sudan and the remainder scattered across 13 other countries.

Enlarge/ A break-down by country of the Flame victims targeted by a single command and control server for just eight days. Researchers believe it was only one of many servers used in an espionage operation that may have lasted years.

Kaspersky Lab

The source code also exposes the names or nick names of four of the developers who wrote and maintained the server code over the years. To prevent interfering with any investigations that may be in progress, Symantec's Thakur said the names were being publicly identified only as "D***," "H*****," "O******," and "R***." The code itself is well-written and amply commented, although one comment that misspells the word "variable" suggests one or more of the developers may have been prone to typos.

The analysis of the control servers only reinforces the conclusion. Proof showing its command server required people with different levels of trust to carry out various jobs depending on their level of sensitivity is consistent with a large, highly structured operation. The fact that work on Flame began no later than 2006 and the operators developed separate malware further suggests a group with almost limitless resources.

As the Kaspersky report concludes: "These features are not normally found in malware created by everyday cyber-criminals, reaffirming our initial conclusions that Flame is a nation-state sponsored attack."

28 Reader Comments

As the Kaspersky report concludes: "These features are not normally found in malware created by everyday cyber-criminals, reaffirming our initial conclusions that Flame is a nation-state sponsored attack."

Yes, but now that the bad guys know what software like this can do, won't they want one of their own?

It's interesting, if not especially informative, to note that there are 68 IP addresses in the United States in the chart shown. If this were a U.S. operation, that might be illegal. Equally interesting is that there are no addresses in Russia, China, or Israel. (Of course, there aren't any in Moldova or Tuvalu, either.)

Tsk..I clean up systems infected with malware and have for years. There is freely available software to proectt us from the most relentless of infections and it too has also been available for years. These apps or the tech behind them have never been incorporated into any commercial AV, which for the most part is functionally useless in protecting systems against rootkits and even worse at removing them. These companies would prefer to hire "researchers" to full your the authors' inbox with alarming news of impending doom than providing software that works.

Their testing and reviews are canned and done in controlled invironments, and their in-field success are more dependent on OS lock downs than anything ...

Anyone really know the reasons why? maybe its time ARS looked into this?

They have control of one of the servers. This means the back-end code ( i.e. php ) files could be accessed.

Since these files were not that important ( and common ) there was no need to encrypt them, even if they did, the solutions to encrypt php files are limited.

That makes sense. I'm just a bit surprised that the group deployed "production" level code with comments in it, that's all.

Those comments look autogenerated or something, as they're stupidly obvious in relation to the line that follows. That or a very new software engineer or someone helping a new software engineer, as stupidly obvious comments are a symptom of an immature programmer.

I attended a talk by some research peeps from Kaspersky at SOURCE Boston concerning the probably-related Duqu. They had recovered some bash logs from Linux servers which showed that while people with exceptional talent surely are involved, they have filled out their ranks with beginner programmers and sysadmins to do the "boring" stuff - the sorts who mangle every other Linux command.

The code for my thesis research was better looking than this sample and probably had more unit tests.I guess that means my thesis research was also nation state sponsored.Maybe I should ask for a raise, because my coding skills are so "indicative of a high level of sophistication".

The code for my thesis research was better looking than this sample and probably had more unit tests.I guess that means my thesis research was also nation state sponsored.Maybe I should ask for a raise, because my coding skills are so "indicative of a high level of sophistication".

Pretty sure that code snippet isn't part of Flame or any of the parts that are considered "sophisticated". It's, as the very helpful comments indicate "[a class] in charge of handling the SQL for the site".

But at least you now know that you can certainly write better SQL classes than an overly-paid government employee.

Why do Ars articles tip-toe around the issue of which "wealthy nation-state" is behind this attack? Anonymous sources within the Obama administration have already talked to the New York Times about Flame, and they ran a lengthy article about it, even going into the President's attitude towards the operation: http://www.nytimes.com/2012/06/01/world ... wanted=all

Why do Ars articles tip-toe around the issue of which "wealthy nation-state" is behind this attack? Anonymous sources within the Obama administration have already talked to the New York Times about Flame, and they ran a lengthy article about it, even going into the President's attitude towards the operation: http://www.nytimes.com/2012/06/01/world ... wanted=all

If journalists cited that as fact they would (rightly) be called on it being anonymous and unconfirmed. In general, side with extreme caution concerning accuracy when accusing specific nation-states of things like this...

The developers pretty clearly realized that the severs they were running on weren't secure, and took some care to ensure that the code on it looks innocuous and that the payload would be inaccessible to outsiders. While I'm sure they'd have loved to have cleaned up a bit better, I suspect it was known that anyone from outside hackers to a nosy sysadmin might have taken a peek at what was on these servers. That the code comments exist, but are trivial and don't really expose the true function of the server on cursory inspection supports this idea. That aside, we all pretty much know who did this and who they were targeting--I'm not sure this analysis compromises anything that wasn't already "leaked."

As for the other countries on the list--I'm not sure exactly how targeted Flame et al. are--it seems quite possible that the software would have accidentally spread to some unintended targets, depending on how targets are selected. The sophistication of the attacks are hyped up for sure, but it seems to have been effective.

Why do Ars articles tip-toe around the issue of which "wealthy nation-state" is behind this attack? Anonymous sources within the Obama administration have already talked to the New York Times about Flame, and they ran a lengthy article about it, even going into the President's attitude towards the operation: http://www.nytimes.com/2012/06/01/world ... wanted=all

You need to check your information, your article is talking about Stuxnet and Operation Olympic Games. Flame very well may have been part of that, or at least involved the same people, but then again it might not have. Saying it was one nation or another is not much more than speculation, and it's appropriate for Ars to not name names when they don't have any kind of facts to support such a claim.

The developers pretty clearly realized that the severs they were running on weren't secure, and took some care to ensure that the code on it looks innocuous and that the payload would be inaccessible to outsiders.

Actually that's going to be the MO of any malware operation. Carefully build a secure encrypted cage around the software so it can't be easily examined by the sysadmins. You for sure don't want a trace-route to point directly at your "secure server"! That's why you get some unaware ISP or server farm to host your CC server.

In my experience there never is enough time to test every freaking line of code. Also the segmentation of the security around the collected data and the software, worked against any "agility"-like methods that could have prevented typos from hosing the logging functions for a long time. The guys writing the code need to get feedback on whether or not the code works as desired.

I do find it completely bonkers though that they managed to collect enough email and commentary from source files to differentiate programmers (or teams). They didn't scrub their source files. That's a pretty serious security fail. Whoever was managing security on the project should get fired. Sounds like they installed the initial build and kept posting updates to the server and got cheap or stupid and used the same site to operate email or IRQ accounts.

If some nation-state 3-letter agency was involved it was likely through some sort of a deniable proxy. Bad software security might be simply because the proxy wasn't that concerned. Most hackers get caught usually because they don't do enough to cover the "debris" of their Internet activity. The programmers might be meant to be the fall-guys.

Why do Ars articles tip-toe around the issue of which "wealthy nation-state" is behind this attack? Anonymous sources within the Obama administration have already talked to the New York Times about Flame, and they ran a lengthy article about it, even going into the President's attitude towards the operation: http://www.nytimes.com/2012/06/01/world ... wanted=all

If journalists cited that as fact they would (rightly) be called on it being anonymous and unconfirmed. In general, side with extreme caution concerning accuracy when accusing specific nation-states of things like this...

but sure, it's *probably* true that the US was a key player in Flame

The New York Times wasn't afraid to state it as fact. I think we can trust that when the NYT says it has talked to anonymous sources inside the administration, it isn't just making things up.

Why do Ars articles tip-toe around the issue of which "wealthy nation-state" is behind this attack? Anonymous sources within the Obama administration have already talked to the New York Times about Flame, and they ran a lengthy article about it, even going into the President's attitude towards the operation: http://www.nytimes.com/2012/06/01/world ... wanted=all

You need to check your information, your article is talking about Stuxnet and Operation Olympic Games. Flame very well may have been part of that, or at least involved the same people, but then again it might not have. Saying it was one nation or another is not much more than speculation, and it's appropriate for Ars to not name names when they don't have any kind of facts to support such a claim.

Why do Ars articles tip-toe around the issue of which "wealthy nation-state" is behind this attack? Anonymous sources within the Obama administration have already talked to the New York Times about Flame, and they ran a lengthy article about it, even going into the President's attitude towards the operation: http://www.nytimes.com/2012/06/01/world ... wanted=all

You need to check your information, your article is talking about Stuxnet and Operation Olympic Games. Flame very well may have been part of that, or at least involved the same people, but then again it might not have. Saying it was one nation or another is not much more than speculation, and it's appropriate for Ars to not name names when they don't have any kind of facts to support such a claim.

It should also be said that given the significant evidence that the US was behind Stuxnet and Flame, perhaps with the participation of Israel, it is strange that Ars does not name the United States in the article. The omission is more troubling than it would be to include what you might consider speculation. Given the admissions of administration officials that the US is behind Stuxnet, and the links that have been found between Stuxnet and Flame, not to mention their similar purposes and target, Ars certainly does have the facts to support such a claim. That it would not mention these facts betrays a certain political bias.